On Fri, Dec 08, 2023 at 09:45:01PM +0100, Peter Zijlstra wrote: > On Fri, Dec 08, 2023 at 10:18:47AM -0800, Kees Cook wrote: > > > Even if we look at the prerequisites for mounting an attack here, we've > > already got things in place to help mitigate arbitrary code execution > > (KCFI, BTI, etc). Nothing is perfect, but speculation gadgets are > > pretty far down on the list of concerns, IMO. We have no real x86 ROP > > defense right now in the kernel, so that's a much lower hanging fruit > > for attackers. > > Supervisor shadow stacks, as they exist today, just can't work on Linux. Yeah, totally agreed. I still wonder if we can extend KCFI to cover return paths (i.e. emitting cookies for return destinations and doing pre-return cookie checking for return destinations). > Should get fixed with FRED, but yeah, this is all somewhat unfortunate. Agreed. > > As another comparison, on x86 there are so many direct execution gadgets > > present in middle-of-instruction code patterns that worrying about a > > speculation gadget seems silly to me. > > FineIBT (or even IBT) limits the middle of function gadgets > significantly. Right -- for indirect calls we are at least able to restrict to same-prototype (KCFI) or "actual function" (IBT). Regardless, for the case at hand, it seems like the Rust wrappers are still not "reachable" since we do BTB stuffing to defang these kinds of speculation gadgets. -Kees -- Kees Cook
